Beruflich Dokumente
Kultur Dokumente
Introduction
What is SYSOPS?
Click to edit Master title style
SYStems OPerationS
Course Prerequisites
Click to edit Master title style
Solid AWS service fundamentals
Previous AWS operations experience
CLI
Console
Command-line proficiency
Course Scope
Click to edit Master title style
In Scope Out of Scope
• Operations
• Limits • Service definition
• Trade-offs • Fundamentals
• Service scope • Global PoP
• Deployment • Architecture
choices
• Sample questions
Exam Dashboard
Click to edit Master title style
Where is the exam dashboard?
https://aws.amazon.com/certification/certified-sysops-
admin-associate/
Exam Dashboard
Click to edit Master title style
Job Description Analogy
Exam Dashboard
Click to edit Master title style
Job Description Analogy
Exam Dashboard
Click to edit Master title style
Job Description Analogy
Exam Blueprint
Click to edit Master title style
Where is the current exam guide?
https://d1.awsstatic.com/training-and-certification/docs-
sysops-associate/AWS%20Certified%20SysOps%20-
%20Associate_Exam%20Guide_Sep18.pdf
Explanation of
question
domains
TL; DR
Click to edit Master title style
Too Long; Didn’t Read
• Sysops requires understanding of architecture
• Fewer services to learn than Solutions Architect
Associate (SAA) certification
• Architecture answers “what” and “why”, Sysops
answers “how” and “when”
• Focus on monitoring and automation of tasks
Concepts
Click to edit Master title style
Deploy, manage, and operate scalable, highly available,
and fault tolerant systems on AWS
Operations Architecture
• Deploy • Scalable
• Manage • Highly
• Operate available
• Fault tolerant
Concepts
Click to edit Master title style
Implement and control the flow of data to and from AWS
AWS Knowledge
TL; DR
Click to edit Master title style
• Experience similar to a candidate requirements for a
job description
• Command line interface is rich with subtle options
• Know what they are and when to use them
• Focus on solutions using automation
• CLI and SDK have similar functionality
• Benefits and drawbacks of each
Candidate Overview
Click to edit Master title style
Minimum of one year hands-on experience with AWS
• AZ
• IAAS
• Region
• PAAS/SAAS
• Global
• No management of infrastructure
• DNS/CDN
Candidate Overview
Click to edit Master title style
Service Manageability
• Unmanaged
• Less HA/FT
• Building blocks
• Managed
• Range from PAAS to SAAS
• Less overhead
Candidate Overview
Click to edit Master title style
Understanding of network technologies as they relate to
AWS
Standalone installer
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o awscli-
bundle.zip
unzip awscli-bundle.zip
./awscli-bundle/install -b ~/bin/aws
AWS CLI Windows Install
Click to edit Master title style
Python module install (same as Linux and MacOS)
pip install awscli --upgrade --user
[profile securityadmin]
role_arn = arn:aws:iam::123456789012:role/securityadmin
source_profile = default
AWS CLI Configuration Advanced
Click to edit Master title style
IAM Role in .aws/config using a named profile
Cross-account access
With MFA
[profile otheraccount]
role_arn = arn:aws:iam::234567890123:role/otheraccount
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/chadsmith
external_id = 456789
AWS CLI Command Help
Click to edit Master title style
aws <service> <action> help
• Context-sensitive
• Paginated
• Examples
AWS CLI Command Format
Click to edit Master title style
--profile
great for assuming roles
--region
specify the region of the resource acted upon
--output
json for schema and structured output
text to remove formatting
table for human readable format
--endpoint-url
can help avoid latency issues
AWS CLI Command Format
Click to edit Master title style
--generate-cli-skeleton
works with --cli-input-json
used for many actions
output includes all possible options
provides more structure than cli options
great for operations and automation
AWS CLI Queries
Click to edit Master title style
--query
restrict output to specific properties
requires JSON schema for specific API method
JMESPath query expressions supported
use for chaining commands together
use for setting variables in scripts
AWS CLI Filters
Click to edit Master title style
--filter
restrict output to specific objects
reduces the response set, which can save time
different for every API operation
contextual help for documentation
AWS CLI Example
Click to edit Master title style
aws ec2 describe-instances --output text \
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceId,Publ
icDnsName,PrivateDnsName]' \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-name,Values=running
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceId,Publ
icDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-name,Values=running
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceId,
PublicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-name,Values=running
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceId,Pu
blicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-name,Values=running
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceId,Publ
icDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-name,Values=running
CLI SDK
• Text • Objects
• Easy • Portable
CLI vs SDK Bash
Click to edit Master title style
#!/bin/bash
region=$1
vols=`aws ec2 describe-volumes --region $region --filters \
Name=status,Values=available \
--query Volumes[].VolumeId | tr -s '\t' '\n'`
for i in $vols; do
aws ec2 delete-volume --region $region --volume-id $i --
dry-run
done
CLI vs SDK Python
Click to edit Master title style
#!/usr/bin/python
import boto3, sys
region = sys.argv[1]
ec2 = boto3.resource("ec2", region_name=region)
available_volumes = ec2.volumes.filter(
Filters=[{'Name': 'status', 'Values': ['available']}]
)
for volume in available_volumes:
volume.delete(DryRun=True)
CLI vs SDK Python (Lambda)
Click to edit Master title style
import boto3
def lambda_handler(event, context):
regionid = event['region']
ec2 = boto3.resource("ec2", region_name=regionid)
available_volumes = ec2.volumes.filter(
Filters=[{'Name': 'status', 'Values': ['available']}]
)
for volume in available_volumes:
volume.delete(DryRun=True)
Question Breakdown
Click to edit Master title style
Which command can you run to understand syntax and task-specific
options for creating an EBS volume?
Domain 1 - Monitoring
and Reporting
Monitoring and Reporting
Click to edit Master title style
• 22% of the exam content
• Create and maintain metrics and alarms utilizing
AWS monitoring services
• Recognize and differentiate performance and
availability metrics
• Perform the steps necessary to remediate based on
performance and availability metrics
TL; DR
Click to edit Master title style
• CloudWatch metrics can be viewed in different ways
• Learn the common metrics for covered services
• Know which services have status checks
• Know the integration points between monitoring
services and automated remediation
CloudWatch Entry Points
Click to edit Master title style
CloudWatch
Console
CloudWatch Entry Points
Click to edit Master title style
Resource
Dashboards
CloudWatch Entry Points
Click to edit Master title style
CLI
CPUCreditBalance
CPUUtilization
NetworkIn
NetworkOut
EC2
CloudWatch Metric Highlights
Click to edit Master title style
VolumeIdleTime
VolumeQueueLengt
h
VolumeReadBytes
VolumeReadOps
VolumeWriteBytes
EBS VolumeWriteOps
CloudWatch Metric Highlights
Click to edit Master title style
BackendConnectionErrors
HTTPCode_Backend_2XX, 3XX, 4XX,
5XX
HTTPCode_ELB_4XX,5XX
RequestCount
SpilloverCount
Classic LB SurgeQueueLength
UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
ActiveConnectionCount
ConsumedLCUs
HealthyHostCount
HTTPCode_ELB_4XX_Count,5XX_Count
HTTPCode_Target_2XX_Count,3XX_Count
HTTPCode_Target_4XX_Count,5XX_Count
NewConnectionCount
Application LB RejectedConnectionCount
RequestCount
RequestCountPerTarget
RuleEvaluations
TargetConnectionErrorCount
TargetResponseTime
UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
ActiveFlowCount
ConsumedLCUs
HealthyHostCount
NewFlowCount
TCP_Client_Reset_Count
TCP_ELB_Reset_Count
TCP_Target_Reset_Count
Network LB UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
CPUUtilization
DatabaseConnections
FreeStorageSpace
ReadIOPS
WriteIOPS
RDS (Non-Aurora)
CloudWatch Metric Highlights
Click to edit Master title style
ActiveTransactions
BlockedTransactions
CommitThroughput
DeleteThroughput
InsertLatency
RDS (Aurora) (Lots of Latency/Throughput)
CloudWatch Metric Highlights
Click to edit Master title style
ConsumedReadCapacityUnits
ConsumedWriteCapacityUnits
ReadThrottleEvents
WriteThrottleEvents
DynamoDB
CloudWatch Custom Metrics
Click to edit Master title style
• Required for anything generated inside the OS
• Shared Responsibility Model coming later
• Can be pushed from on-prem resources
• Good for application metrics
SNS – Notifications
Email
Notify
SMS is
HTTP/HTTPS PASSIVE
SNS - Trigger
Lambda function
CloudWatch Alarm Actions
Click to edit Master title style
EC2 – Stop, Reboot, Terminate, Recover
SNS – Notifications
Email
Remediate
SMS is
HTTP/HTTPS ACTIVE
SNS - Trigger
Lambda function
CloudWatch Events
Click to edit Master title style
Doesn’t require metrics
More like a transaction log
Kinesis Firehose
And more!
CloudWatch Logs
Click to edit Master title style
Action Details
Aggregate Multiple sources
Stored in
API Gateway
CloudWatch
Logs
Log Monitoring and Storage
Click to edit Master title style
CloudWatch S3
Logs
Log Monitoring and Storage
Click to edit Master title style
API Gateway
CloudWatch S3
Logs
Log Monitoring and Storage
Click to edit Master title style
CloudWatch S3
Logs
Log Monitoring and Storage
Click to edit Master title style
CloudWatch S3
Logs
EC2
Log Monitoring and Storage
Click to edit Master title style
CloudWatch S3
Logs
CloudWatch S3
Logs
CloudWatch S3
Logs
Log Monitoring and Storage
Click to edit Master title style
Lambda
CloudWatch S3
Logs
Status Checks
Click to edit Master title style
• Availability Metrics
• Determination whether resource is accessible
• Can indicate failures at infrastructure tier
EC2 Status Checks
Click to edit Master title style
• System Status Checks
• Network connectivity
• Physical host power
• Physical host OS issues
• Physical host H/W issues
EC2 Status Checks
Click to edit Master title style
• Instance Status Checks
• Network configuration issue
• OS configuration issue
• OOM
• Corrupt volume
• Kernel issue
EBS Volume Status Check
Click to edit Master title style
• ok
• warning
• impaired
• insufficient-data
EBS Volume Perf Status Check
Click to edit Master title style
• ok
• Normal volume performance
• warning
• Degraded or Severely Degraded volume performance
• impaired
• Stalled or Not Available
• insufficient-data
RDS Status Checks
Click to edit Master title style
• Available
• Backing-up
• Configuring-enhanced-monitoring
• Creating
• Deleting
• Failed
• Inaccessible-encryption-credentials
• Incompatible-credentials
RDS Status Checks cont’d
Click to edit Master title style
• Incompatible-network
• Incompatible-option-group
• Incompatible-parameters
• Incompatible-restore
• Maintenance
• Modifying
• Rebooting
• Renaming
RDS Status Checks cont’d
Click to edit Master title style
• Resetting-master-credentials
• Restore-error
• Starting
• Stopping
• Stopped
• Storage-full
• Storage-optimization
• Upgrading
RedShift Cluster Status
Click to edit Master title style
• Available
• Creating
• Deleting
• Final-snapshot
• Hardware-failure
• Incompatible-hsm
• Incompatible-network
• Incompatible-parameters
RedShift Cluster Status cont’d
Click to edit Master title style
• Incompatible-restore
• Modifying
• Rebooting
• Renaming
• Resizing
• Rotating-keys
• Storage-full
• Updating-hsm
Remediate After Monitoring
Click to edit Master title style
• Learn ways to optimize network performance
• Know how to recognize bottlenecks
Maximize Performance
Click to edit Master title style
• Single AZ
• Placement group
• Enhanced networking
• Jumbo frames
• Keep traffic inside VPC
• VGW vs Direct Connect
Identify Bottlenecks
Click to edit Master title style
• Undersized NAT instance
• Undersized RDS instance
• Undersized EC2 instance
• Old EC2 instance type
• Underprovisioned EBS volume
• Latency from cross-AZ traffic
• Serving static assets from EC2
• Aggregating S3 requests from single instance
Question Breakdown
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
launched into an IAM Role with appropriate permissions to
accomplish this. There is a security requirement to track CloudWatch
API calls to ensure an audit trail. How can this requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
Breakdown – Key Terms
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
launched into an IAM Role with appropriate permissions to
accomplish this. There is a security requirement to track
CloudWatch API calls to ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
Breakdown – Answer Selection
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics fromEnables CloudWatch
the application into CloudWatch. Logs
Instances are
launched into an IAM Role with appropriate permissions to
integration, but doesn’t meet
accomplish this. There is a security requirement to track
CloudWatch API calls to requirement.
ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
Breakdown – Answer Selection
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
Justanchanges
launched into IAM Role withpolling
appropriateperiod forto
permissions
CloudWatch
accomplish this. There is a security requirement to track
CloudWatch API calls to ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
Breakdown – Answer Selection
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
Enables
launched into alerts
an IAM Role and actions
with appropriate butto
permissions
no
accomplish this. There is auditrequirement
a security trail to track
CloudWatch API calls to ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom
metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
Breakdown – Answer Selection
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
CloudTrail
launched into logs
an IAM Role with enable
appropriate audit to
permissions
trailThere
accomplish this. andis ameets requirement
security requirement to track
CloudWatch API calls to ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2
instances.
Breakdown – Answer Selection
Click to edit Master title style
Your company runs RabbitMQ on EC2, and wants to push custom
metrics from the application into CloudWatch. Instances are
launched into an IAM Role with appropriate permissions to
Answer: D
accomplish this. There is a security requirement to track
CloudWatch API calls to ensure an audit trail. How can this
requirement be met?
A. Install the CloudWatch Logs Agent on the EC2 instances.
B. Enable detailed monitoring on the EC2 instances.
C. Create a CloudWatch Alarm on each RabbitMQ custom metric.
D. Enable AWS CloudTrail in the same region as the EC2 instances.
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Domain 2 - High
Availability
High Availability
Click to edit Master title style
• 8% of exam content
• Implement scalability and elasticity based on use
case
• Recognize and differentiate highly available and
resilient environments on AWS
TL; DR
Click to edit Master title style
• Learn common deployment patterns for HA
• Just in time provisioning
• Trend toward temporary resources
• Trend toward managed services
• Trend toward regional scope over AZ scope
• Multi-regional deployments increase availability and
cost
• Focus on details over strategy
• How does HA affect operations?
Terms
Click to edit Master title style
Fault Tolerance - The system will continue to function
without degradation in performance despite the
complete failure of any component of the architecture.
VPC
Private subnet Private subnet
VPC
Private subnet Private subnet
Multiple AZ
Private subnet Private subnet
VPC
Click to edit Master title style
Availability Zone Availability Zone
VPC
Private subnet Private subnet
Multiple
subnets with
different
Private subnet Private subnet
internet
accessibility
VPC
Click to edit Master title style
Availability Zone Availability Zone
VPC
Private subnet Private subnet
NAT GW per
Private subnet Private subnet
AZ
VPC
Click to edit Master title style
Availability Zone Availability Zone
VPC
Internet Gateway
Private subnet Private subnet
VPC Endpoint
Virtual
Private
Private subnet Private subnet
Gateway
Egress points
are all HA/FT
ELB
Click to edit Master title style
Inherently HA, scalable and elastic
Classic
• Layer 4 or 7
• Supports EC2 Classic
• ALB
• Layer 7
• Path-based routing
• NLB
• Layer 4
• Static IP entry point
Decoupling with SNS and SQS
Click to edit Master title style
Decoupling with SNS and SQS
Click to edit Master title style
Publish message to
start workflow
SNS topic
Decoupling with SNS and SQS
Click to edit Master title style
SQS Queues
Same message to 3
queues for 3 tasks
Decoupling with SNS and SQS
Click to edit Master title style
3 ASG perform
tasks
independently
VPC
Private subnet Private subnet
Domain 3 - Deployment
and Provisioning
Deployment and Provisioning
Click to edit Master title style
• 14% of exam content
• Identify and execute steps required to provision
cloud resources
• Identify and remediate deployment issues
TL; DR
Click to edit Master title style
• Know how to deploy individual resources
• Understand how to deploy groups of resources
• Deployment choices are not mutually exclusive
• Learn limitations of Infrastructure As Code options
• Identify tools for troubleshooting issues
Provision Cloud Resources
Click to edit Master title style
Manual Provisioning
• Chef Automate
• Puppet Enterprise
• Stacks consist of layers
• EC2
• Elastic Load Balancing
• RDS
• ECS
• Custom
OpsWorks Key Concepts
Click to edit Master title style
• Good for Chef/Puppet shops (hybrid environments)
• Integrated with Auto Scaling
• Focuses on resources similar to on-prem networks
• Managed service = highly available
• Many integration points with AWS ecosystem
Elastic Beanstalk Basics
Click to edit Master title style
Covered earlier
Elastic Beanstalk Key Concepts
Click to edit Master title style
• Manages platform
• ELB
• Auto Scaling
• RDS
• Used for resource create, update, and delete actions
• Still requires OS management
• Does not address backups
• Does not address multi-regional deployment
SSM Run Command Basics
Click to edit Master title style
• Runs manual or scheduled tasks
• Works in hybrid environments
• Parallelized
• Track results and errors
• Easier to troubleshoot in bulk than manual operations
• Requires agent
• Requires access to SSM service API endpoint
ECS Basics
Click to edit Master title style
• Deploy containers without managing infrastructure
• Supports Docker and Windows containers
• Choice of deployment via EC2 or Fargate
• Supports existing VPC infrastructure
EKS Basics
Click to edit Master title style
• Similar to ECS, but uses Kubernetes
• Deploy Docker containers without managing
infrastructure
• Choice of deployment via EC2 or Fargate
• Supports existing VPC infrastructure
• Hybrid infrastructure support
CodeDeploy Basics
Click to edit Master title style
• Deploy to EC2, Lambda, or on-premises
• File and command-based framework
• Rolling updates
• Blue/green deployments
• Stop and rollback
• Does NOT provision network or compute
infrastructure
Blue-Green Deployment
Click to edit Master title style
Weighted
RR Routing
Elastic Beanstalk
Blue-Green Deployment
Click to edit Master title style
Weighted
RR Routing
CloudFormation
Blue-Green Deployment
Click to edit Master title style
Launch Config 1
Launch Config 2
Auto Scaling
Blue-Green Deployment
Click to edit Master title style
How many other possibilities?
• ECS
• OpsWorks
• CodeDeploy
• Multiple options for Elastic Beanstalk
• Multiple options for CloudFormation
• Multiple options for Autoscaling
• And others!
Question Breakdown
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers. Which services can be used to
deploy and manage the containers? (pick three)
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Key Terms
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers. Which services can be used to
deploy and manage the containers? (pick three)
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers.
EC2 is theWhich
Swissservices
army can be used
knife of to
deploy and manage the containers? (pick three)
AWS, and supports containers
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Lambda isWhich
Docker containers. entirely serverless,
services can be used to
with no
deploy and manage thecontrol over
containers? (pick three)
infrastructure
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers.
EMR is aWhich services
managed can be used to
Hadoop
deploy and manage the containers? (pick three)
framework, not Docker
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers.
ContainersWhich services
are can be used to
the primary
deploy and manage the containers? (pick three)
function of ECS
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers.
SSM is forWhich servicespatches,
inventory, can be used to
deploy and manage the containers? (pick three)
parameters, and updates
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Elastic Beanstalk
Docker containers. supports
Which services can be used to
Dockertheascontainers?
deploy and manage a choice (pick
for three)
deployment
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application using
Docker containers. Which services can be used to
deploy and manageAnswers: ADF (pick three)
the containers?
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
https://media.amazonwebservices.com/AWS_Disaster_Recovery.pdf
pages 9-18
DR Scenarios - Highlights
Click to edit Master title style
Backup and restore - preparation
Create AMIs
and network
infrastructure
DR Scenarios - Highlights
Click to edit Master title style
Backup and restore - execution
Create ELB
Launch
EC2/RDS
Restore data
DR Scenarios - Highlights
Click to edit Master title style
Backup and restore - execution
Consideration Score
RTO 4
RPO 4
Cost 1
Time to implement 1
Complexity to manage 1
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - preparation
Create AMIs
and network
Infrastructure
Create ELB
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - preparation
Launch DB
Configure DB
replication
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - execution
Provision EC2
Scale DB
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - execution
Promote DB replica
Perform DNS cutover
Configure monitoring
Configure CI/CD
DR Scenarios - Highlights
Click to edit Master title style
Pilot light strategic summary
Consideration Score
RTO 3
RPO 3
Cost 2
Time to implement 2
Complexity to manage 2
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Create AMIs
and network
Infrastructure
Create ELB
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Launch DB
Configure 2-way
DB replication
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Provision EC2
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Consideration Score
RTO 2
RPO 2
Cost 3
Time to implement 3
Complexity to manage 3
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Create AMIs
and network
Infrastructure
Create ELB
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Launch DB
Configure 2-way
DB replication
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Provision EC2
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Consideration Score
RTO 1
RPO 1
Cost 4
Time to implement 4
Complexity to manage 4
1 is best, 4 is worst
Enforcing Compliance
Click to edit Master title style
Config Rules
• Passive
• Configuration change or periodic triggers
• Evaluate changes through AWS Config
• Apply built-in rules or custom (Lambda function)
• View Compliance Dashboard for results
Enforcing Compliance
Click to edit Master title style
Service Catalog
• Active
• CloudFormation templates as products
• Constraints act upon provisioning
• Users access Service Catalog, not individual services
Enforcing Compliance
Click to edit Master title style
S3 Lifecycle Policies
• Active
• Rules apply according to object age
• One-way flow of transition/expiration
• Rules can apply to prefixes or full bucket
• Does not require rule for every storage class
S3
Enforcing Compliance
Click to edit Master title style
Glacier Vault Lock
• Active
• Use for delete denial (for example)
• 24 hours to verify lock
• Can never be changed once locked
Data Integrity
Click to edit Master title style
Data integrity In-transit
• All AWS API endpoints support SSL
• SSL termination for ELB, CloudFront, API Gateway
• SSL/TLS endpoints for RDS, DynamoDB, RedShift
• VGW/VPN or Direct Connect
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Key Terms
Click to edit Master title style
Your application requires access to images stored in S3. The
frequency of access will be no more than 4 times per year,
and the image originals have already been archived in
Glacier. Which S3 storage class would be the most cost-
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3. The
frequency of access will be no more than 4 times per year,
Standard is the most expensive
and the image originals have already been archived in
Glacier. Which S3 S3 storage
storage classbe the most cost-
class would
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3. The
frequency of access will be no more than 4 times per year,
S3-IA is a good option, not
and the image originals have already been archived in
Glacier. Whichgoing to eliminate
S3 storage yet
class would be the most cost-
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3. The
frequencyZ-IA is a good
of access option
will be no also,
more than andper year,
4 times
cheaper
and the image than
originals S3-IA,
have eliminating
already been archived in
Glacier. Which S3 storage class would be the most cost-
B as a choice
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application
RRS was requires access
a legacy to images
option stored in S3. The
for cheaper
frequency of access will be no more than 4 times per year,
storage but due to price decreases
and the image originals have already been archived in
on Standard
Glacier. Which S3 storageand S3-IA,
class wouldnobe
longer
the most cost-
relevant
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer
Click to edit Master title style
Your application requires access to images stored in S3. The
frequency of access will be no more than 4 times per year,
All other choices eliminated
and the image originals have already been archived in
Glacier. Which S3 storageAnswer: C
class would be the most cost-
effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Principal
IAM Policy
Click Evaluation
to edit Master title style
Can I do
action X?
Default
Principal answer?
DENY!
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
Evaluate all
associated
Principal
policies as a
whole
Identity
based ACL
Resourc
policy e based
policy
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
Identity
based ACL
Resourc Is there an
policy e based explicit DENY?
policy
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
If no, implicit
Principal
DENY
Is there an
Organizations
Service explicit ALLOW?
Control Policy
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
1. Are there
permission 2. If yes, do they
All
boundaries? have an explicit
applicable
policies ALLOW?
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
1. Is the principal
2. If yes, does
Applicable assuming a role?
the role have an
STS policy explicit ALLOW?
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
Evaluate all
associated
Principal
policies as a
whole
Identity
based ACL
Resourc
policy e based
policy
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
Identity
based ACL
Resourc Is there an
policy e based explicit ALLOW?
policy
IAM Policy
Click Evaluation
to edit Master title style
Default
answer?
Can I do DENY!
action X?
If no, implicit
Principal
DENY
Identity
based ACL
Resourc Is there an
policy e based explicit ALLOW?
policy
IAM Policy Tips
Click to edit Master title style
• Learn where to use “not”
• NotAction, NotIpAddress, NotResource, etc
• Combine statements
• Policy length limited to 6144 characters
• Edit policies in console to auto-validate JSON
• Learn all condition types and appropriate use
IAM Policy Example Part 1
Click to edit Master title style
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow", Ability to
"Action": "s3:ListAllMyBuckets",
list the
"Resource": "arn:aws:s3:::*",
"Condition": { bucket
"StringLike": { itself
"s3:prefix": [
”s3bucketname"]}}
},
IAM Policy Example Part 2
Click to edit Master title style
{
"Effect": "Allow",
"Action": [
"s3:ListBucket", Allow
"s3:PutObject",
operations
"s3:GetObject",
"s3:GetObjectVersion"], within the
"Resource": [ bucket
"arn:aws:s3::: s3bucketname/*",
"arn:aws:s3::: s3bucketname"]},
IAM Policy Example Part 3
Click to edit Master title style
{
"Effect": ”Deny",
”NotAction": ["s3:*"],
”NotResource": [
"arn:aws:s3::: s3bucketname/*",
"arn:aws:s3::: s3bucketname"]}]}
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Key Terms
Click to edit Master title style
AWS CloudTrail logs API requests to resources in your
account. Which additional service can you use to track
and visualize changes made on those resources?
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in your
Config
account. Which allowsservice
additional for resource
can you use to track
and visualize change tracking
changes made andresources?
on those
visualization
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in your
account. Which additional service can you use to track
KMS manages
and visualize changes madeencryption keys
on those resources?
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in your
account. Which additional
Inspector is service
used forcanOS
you use to track
and visualize changes made on those resources?
security audit tasks
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in your
account.CloudFormation is designed
Which additional service can you for
use to track
automated
and visualize deployment
changes made of
on those resources?
resources
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in your
account. Which additional service can you use to track
Answer:
and visualize changes made onAthose resources?
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Domain 6 - Networking
Networking
Click to edit Master title style
• 14% of exam content
• Apply AWS networking features
• Implement connectivity features of AWS
• Gather and interpret relevant information for network
troubleshooting
TL; DR
Click to edit Master title style
• Ability to create VPC from scratch is a requirement
• Many of your resources could be outside VPC
• VPC security groups for whitelisting, NACLs for
blacklisting
• VPC route tables are for traffic egress
• ELB/ALB/NLB each have specific use cases
• Know when VPC Flow Logs are required for
troubleshooting
• Recognize common causes of connectivity issues
Implement Networking Features
Click to edit Master title style
• Understanding service scope
• Many services don’t allow network choices
• VPC networking
• CloudFront
• Elastic Load Balancing
• Route 53
VPC Networking Limits
Click to edit Master title style
Learn the default limits and which can be
increased when required
• Internet Gateway
• Virtual Private Gateway
• VPC Endpoint
• VPC Peering Connection
VPC IP Address Space
Click to edit Master title style
• Private IP ranges
• All networking features available
• RFC1918 compliance
• 10.0.0.0-10.0.255.255
• 172.16.0.0-172.31.255.255
• 192.168.0.0-192.168.255.255
VPC IP Address Space, con’td
Click to edit Master title style
• Supported networks from /16 to /28 in size
• AWS reserves 5 IP addresses from each subnet
Resources shared
• Route 53 resolver rules
• AWS Transit Gateways
• Subnets
• AWS License Manager Configurations
Question Breakdown
Click to edit Master title style
You suspect that one of your EC2 instances is the target
of a brute force hacking attempt. Which features could
you use to verify this claim? (pick 3)
Domain 7 – Automation
and Optimization
Automation and Optimization
Click to edit Master title style
• 12% of exam content
• Use AWS services and features to manage and assess
resource utilization
• Employ cost-optimization strategies for efficient
resource utilization
• Automate manual or repeatable process to minimize
management overhead
TL; DR
Click to edit Master title style
• Monitor utilization to assist with optimization
• Organize resources using tags
• Take advantage of tiered pricing and discounts
• Managed services have lower TCO than unmanaged
• Scale horizontally in small increments for higher
efficiency
• Architect infrastructures with automation as a goal
Resource Utilization
Click to edit Master title style
Trusted
CloudWatch
Advisor
Detailed Resource
Billing Report Tags
Cost Optimization
Click to edit Master title style
• Start by understanding your monthly bill
• EC2 cost models
• Temporary resources
• Managed services
• Trusted Advisor dashboard reports
Resource Groups
AWS Organizations
Click to edit Master title style
Manage multiple AWS accounts
• Hierarchical grouping of accounts
• Treat accounts like OU
• Automatically apply policies to new accounts
Operational ramifications
• Automated cross-account service integration
• Programmatic account creation
• Disables Detailed Billing console for child accounts
Question Breakdown
Click to edit Master title style
Your company has a large number of EBS snapshots that
have collected over time. You’ve been asked to remove
old snapshots and implement snapshot rotation in the
most efficient method. Which of the following
accomplishes this? (pick two)
Further Study
AWS Whitepapers
Click to edit Master title style
https://aws.amazon.com/whitepapers/
• Main whitepaper
• Whitepaper for each of the 5 pillars
• Focus on Operational Excellence!
• Well-Architected lens whitepapers (2 more!)
Get Out and Do Something!
Click to edit Master title style
https://aws.amazon.com/free/
Create an account
https://aws.amazon.com/getting-started/labs/
Self-paced labs hosted by qwikLABS
https://aws.amazon.com/getting-started/tutorials/
10-Minute Tutorials
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Q&A